diff --git a/doc/Makefile b/doc/Makefile new file mode 100644 index 0000000..afa7ded --- /dev/null +++ b/doc/Makefile @@ -0,0 +1,181 @@ +# Makefile for Sphinx documentation +# + +# You can set these variables from the command line. +SPHINXOPTS = +SPHINXBUILD = sphinx-build +PAPER = +BUILDDIR = build + +# User-friendly check for sphinx-build +ifeq ($(shell which $(SPHINXBUILD) >/dev/null 2>&1; echo $$?), 1) +$(error The '$(SPHINXBUILD)' command was not found. Make sure you have Sphinx installed, then set the SPHINXBUILD environment variable to point to the full path of the '$(SPHINXBUILD)' executable. Alternatively you can add the directory with the executable to your PATH. If you don't have Sphinx installed, grab it from http://sphinx-doc.org/) +endif + +# Internal variables. +PAPEROPT_a4 = -D latex_paper_size=a4 +PAPEROPT_letter = -D latex_paper_size=letter +ALLSPHINXOPTS = -d $(BUILDDIR)/doctrees $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) source +# the i18n builder cannot share the environment and doctrees with the others +I18NSPHINXOPTS = $(PAPEROPT_$(PAPER)) $(SPHINXOPTS) source + +.PHONY: help clean html dirhtml singlehtml pickle json htmlhelp qthelp devhelp epub latex latexpdf text man changes linkcheck doctest gettext lifehtml + +help: + @echo "Please use \`make ' where is one of" + @echo " html to make standalone HTML files" + @echo " dirhtml to make HTML files named index.html in directories" + @echo " singlehtml to make a single large HTML file" + @echo " pickle to make pickle files" + @echo " json to make JSON files" + @echo " htmlhelp to make HTML files and a HTML help project" + @echo " qthelp to make HTML files and a qthelp project" + @echo " devhelp to make HTML files and a Devhelp project" + @echo " epub to make an epub" + @echo " latex to make LaTeX files, you can set PAPER=a4 or PAPER=letter" + @echo " latexpdf to make LaTeX files and run them through pdflatex" + @echo " latexpdfja to make LaTeX files and run them through platex/dvipdfmx" + @echo " text to make text files" + @echo " man to make manual pages" + @echo " texinfo to make Texinfo files" + @echo " info to make Texinfo files and run them through makeinfo" + @echo " gettext to make PO message catalogs" + @echo " changes to make an overview of all changed/added/deprecated items" + @echo " xml to make Docutils-native XML files" + @echo " pseudoxml to make pseudoxml-XML files for display purposes" + @echo " linkcheck to check all external links for integrity" + @echo " doctest to run all doctests embedded in the documentation (if enabled)" + @echo " livehtml to run html server" + +clean: + rm -rf $(BUILDDIR)/* + +html: + $(SPHINXBUILD) -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html + @echo + @echo "Build finished. The HTML pages are in $(BUILDDIR)/html." + +dirhtml: + $(SPHINXBUILD) -b dirhtml $(ALLSPHINXOPTS) $(BUILDDIR)/dirhtml + @echo + @echo "Build finished. The HTML pages are in $(BUILDDIR)/dirhtml." + +singlehtml: + $(SPHINXBUILD) -b singlehtml $(ALLSPHINXOPTS) $(BUILDDIR)/singlehtml + @echo + @echo "Build finished. The HTML page is in $(BUILDDIR)/singlehtml." + +pickle: + $(SPHINXBUILD) -b pickle $(ALLSPHINXOPTS) $(BUILDDIR)/pickle + @echo + @echo "Build finished; now you can process the pickle files." + +json: + $(SPHINXBUILD) -b json $(ALLSPHINXOPTS) $(BUILDDIR)/json + @echo + @echo "Build finished; now you can process the JSON files." + +htmlhelp: + $(SPHINXBUILD) -b htmlhelp $(ALLSPHINXOPTS) $(BUILDDIR)/htmlhelp + @echo + @echo "Build finished; now you can run HTML Help Workshop with the" \ + ".hhp project file in $(BUILDDIR)/htmlhelp." + +qthelp: + $(SPHINXBUILD) -b qthelp $(ALLSPHINXOPTS) $(BUILDDIR)/qthelp + @echo + @echo "Build finished; now you can run "qcollectiongenerator" with the" \ + ".qhcp project file in $(BUILDDIR)/qthelp, like this:" + @echo "# qcollectiongenerator $(BUILDDIR)/qthelp/FWaaSPluginforFuel.qhcp" + @echo "To view the help file:" + @echo "# assistant -collectionFile $(BUILDDIR)/qthelp/FWaaSPluginforFuel.qhc" + +devhelp: + $(SPHINXBUILD) -b devhelp $(ALLSPHINXOPTS) $(BUILDDIR)/devhelp + @echo + @echo "Build finished." + @echo "To view the help file:" + @echo "# mkdir -p $$HOME/.local/share/devhelp/FWaaSPluginforFuel" + @echo "# ln -s $(BUILDDIR)/devhelp $$HOME/.local/share/devhelp/FWaaSPluginforFuel" + @echo "# devhelp" + +epub: + $(SPHINXBUILD) -b epub $(ALLSPHINXOPTS) $(BUILDDIR)/epub + @echo + @echo "Build finished. The epub file is in $(BUILDDIR)/epub." + +latex: + $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex + @echo + @echo "Build finished; the LaTeX files are in $(BUILDDIR)/latex." + @echo "Run \`make' in that directory to run these through (pdf)latex" \ + "(use \`make latexpdf' here to do that automatically)." + +latexpdf: + $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex + @echo "Running LaTeX files through pdflatex..." + $(MAKE) -C $(BUILDDIR)/latex all-pdf + @echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex." + +latexpdfja: + $(SPHINXBUILD) -b latex $(ALLSPHINXOPTS) $(BUILDDIR)/latex + @echo "Running LaTeX files through platex and dvipdfmx..." + $(MAKE) -C $(BUILDDIR)/latex all-pdf-ja + @echo "pdflatex finished; the PDF files are in $(BUILDDIR)/latex." + +text: + $(SPHINXBUILD) -b text $(ALLSPHINXOPTS) $(BUILDDIR)/text + @echo + @echo "Build finished. The text files are in $(BUILDDIR)/text." + +man: + $(SPHINXBUILD) -b man $(ALLSPHINXOPTS) $(BUILDDIR)/man + @echo + @echo "Build finished. The manual pages are in $(BUILDDIR)/man." + +texinfo: + $(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo + @echo + @echo "Build finished. The Texinfo files are in $(BUILDDIR)/texinfo." + @echo "Run \`make' in that directory to run these through makeinfo" \ + "(use \`make info' here to do that automatically)." + +info: + $(SPHINXBUILD) -b texinfo $(ALLSPHINXOPTS) $(BUILDDIR)/texinfo + @echo "Running Texinfo files through makeinfo..." + make -C $(BUILDDIR)/texinfo info + @echo "makeinfo finished; the Info files are in $(BUILDDIR)/texinfo." + +gettext: + $(SPHINXBUILD) -b gettext $(I18NSPHINXOPTS) $(BUILDDIR)/locale + @echo + @echo "Build finished. The message catalogs are in $(BUILDDIR)/locale." + +changes: + $(SPHINXBUILD) -b changes $(ALLSPHINXOPTS) $(BUILDDIR)/changes + @echo + @echo "The overview file is in $(BUILDDIR)/changes." + +linkcheck: + $(SPHINXBUILD) -b linkcheck $(ALLSPHINXOPTS) $(BUILDDIR)/linkcheck + @echo + @echo "Link check complete; look for any errors in the above output " \ + "or in $(BUILDDIR)/linkcheck/output.txt." + +doctest: + $(SPHINXBUILD) -b doctest $(ALLSPHINXOPTS) $(BUILDDIR)/doctest + @echo "Testing of doctests in the sources finished, look at the " \ + "results in $(BUILDDIR)/doctest/output.txt." + +xml: + $(SPHINXBUILD) -b xml $(ALLSPHINXOPTS) $(BUILDDIR)/xml + @echo + @echo "Build finished. The XML files are in $(BUILDDIR)/xml." + +pseudoxml: + $(SPHINXBUILD) -b pseudoxml $(ALLSPHINXOPTS) $(BUILDDIR)/pseudoxml + @echo + @echo "Build finished. The pseudo-XML files are in $(BUILDDIR)/pseudoxml." + +livehtml: + sphinx-autobuild -b html $(ALLSPHINXOPTS) $(BUILDDIR)/html diff --git a/doc/source/_static/add_firewall_to_r1.png b/doc/source/_static/add_firewall_to_r1.png new file mode 100644 index 0000000..2006000 Binary files /dev/null and b/doc/source/_static/add_firewall_to_r1.png differ diff --git a/doc/source/_static/add_firewall_to_r2.png b/doc/source/_static/add_firewall_to_r2.png new file mode 100644 index 0000000..b0fb11c Binary files /dev/null and b/doc/source/_static/add_firewall_to_r2.png differ diff --git a/doc/source/_static/add_rule_to_policy.png b/doc/source/_static/add_rule_to_policy.png new file mode 100644 index 0000000..d52e7bc Binary files /dev/null and b/doc/source/_static/add_rule_to_policy.png differ diff --git a/doc/source/_static/create_firewall.png b/doc/source/_static/create_firewall.png new file mode 100644 index 0000000..643bdad Binary files /dev/null and b/doc/source/_static/create_firewall.png differ diff --git a/doc/source/_static/create_policy.png b/doc/source/_static/create_policy.png new file mode 100644 index 0000000..b92609b Binary files /dev/null and b/doc/source/_static/create_policy.png differ diff --git a/doc/source/_static/create_rule.png b/doc/source/_static/create_rule.png new file mode 100644 index 0000000..e0a8e9f Binary files /dev/null and b/doc/source/_static/create_rule.png differ diff --git a/doc/source/_static/fill_firewall_params.png b/doc/source/_static/fill_firewall_params.png new file mode 100644 index 0000000..ec2c4eb Binary files /dev/null and b/doc/source/_static/fill_firewall_params.png differ diff --git a/doc/source/_static/fill_policy_params.png b/doc/source/_static/fill_policy_params.png new file mode 100644 index 0000000..fa71d11 Binary files /dev/null and b/doc/source/_static/fill_policy_params.png differ diff --git a/doc/source/_static/fill_rule_parameters.png b/doc/source/_static/fill_rule_parameters.png new file mode 100644 index 0000000..bc6e8b9 Binary files /dev/null and b/doc/source/_static/fill_rule_parameters.png differ diff --git a/doc/source/_static/fwaas_in_fuel_ui.png b/doc/source/_static/fwaas_in_fuel_ui.png new file mode 100644 index 0000000..369901c Binary files /dev/null and b/doc/source/_static/fwaas_in_fuel_ui.png differ diff --git a/doc/source/_static/insert_rule_into_policy.png b/doc/source/_static/insert_rule_into_policy.png new file mode 100644 index 0000000..d0c8a4b Binary files /dev/null and b/doc/source/_static/insert_rule_into_policy.png differ diff --git a/doc/source/_static/net_arch.png b/doc/source/_static/net_arch.png new file mode 100644 index 0000000..a5c0246 Binary files /dev/null and b/doc/source/_static/net_arch.png differ diff --git a/doc/source/_static/security_groups.png b/doc/source/_static/security_groups.png new file mode 100644 index 0000000..e31a4f1 Binary files /dev/null and b/doc/source/_static/security_groups.png differ diff --git a/doc/source/_static/select_firewalls_menu.png b/doc/source/_static/select_firewalls_menu.png new file mode 100644 index 0000000..643bdad Binary files /dev/null and b/doc/source/_static/select_firewalls_menu.png differ diff --git a/doc/source/_static/table_all_routers_with_fw_and_icmp_rule.png b/doc/source/_static/table_all_routers_with_fw_and_icmp_rule.png new file mode 100644 index 0000000..de041af Binary files /dev/null and b/doc/source/_static/table_all_routers_with_fw_and_icmp_rule.png differ diff --git a/doc/source/_static/table_default.png b/doc/source/_static/table_default.png new file mode 100644 index 0000000..dc4d318 Binary files /dev/null and b/doc/source/_static/table_default.png differ diff --git a/doc/source/_static/table_fw_r1.png b/doc/source/_static/table_fw_r1.png new file mode 100644 index 0000000..990f19e Binary files /dev/null and b/doc/source/_static/table_fw_r1.png differ diff --git a/doc/source/appendix.rst b/doc/source/appendix.rst new file mode 100644 index 0000000..eb2beb7 --- /dev/null +++ b/doc/source/appendix.rst @@ -0,0 +1,10 @@ +Appendix +-------- + ++----+-----------------------+-------------------------------------------------------------------------------------------------------------------------+ +| # | Title of resource | Link on resource | ++====+=======================+=========================================================================================================================+ +| 1 | Fuel Plugins CLI | `Link `_ | ++----+-----------------------+-------------------------------------------------------------------------------------------------------------------------+ +| 2 | Firewall-as-a-Service | `Link `_| ++----+-----------------------+-------------------------------------------------------------------------------------------------------------------------+ diff --git a/doc/source/conf.py b/doc/source/conf.py new file mode 100644 index 0000000..4a45162 --- /dev/null +++ b/doc/source/conf.py @@ -0,0 +1,340 @@ +# -*- coding: utf-8 -*- +# +# fuel-plugin-fwaas documentation build configuration file, created by +# sphinx-quickstart on Wed Oct 7 12:48:35 2015. +# +# This file is execfile()d with the current directory set to its +# containing dir. +# +# Note that not all possible configuration values are present in this +# autogenerated file. +# +# All configuration values have a default; values that are commented out +# serve to show the default. + +import sys +import os + +# If extensions (or modules to document with autodoc) are in another directory, +# add these directories to sys.path here. If the directory is relative to the +# documentation root, use os.path.abspath to make it absolute, like shown here. +#sys.path.insert(0, os.path.abspath('.')) + +# -- General configuration ------------------------------------------------ + +# If your documentation needs a minimal Sphinx version, state it here. +#needs_sphinx = '1.0' + +# Add any Sphinx extension module names here, as strings. They can be +# extensions coming with Sphinx (named 'sphinx.ext.*') or your custom +# ones. +extensions = [ +# 'sphinx.ext.todo', +# 'sphinx.ext.coverage', +] + +# Add any paths that contain templates here, relative to this directory. +templates_path = ['_templates'] + +# The suffix of source filenames. +source_suffix = '.rst' + +# The encoding of source files. +#source_encoding = 'utf-8-sig' + +# The master toctree document. +master_doc = 'index' + +# General information about the project. +project = u'The FWaaS plugin for Fuel' +copyright = u'2015, Mirantis Inc.' + +# The version info for the project you're documenting, acts as replacement for +# |version| and |release|, also used in various other places throughout the +# built documents. +# +# The short X.Y version. +version = '2.0-2.0.0-2' +# The full version, including alpha/beta/rc tags. +release = '2.0-2.0.0-2' + +# The language for content autogenerated by Sphinx. Refer to documentation +# for a list of supported languages. +#language = None + +# There are two options for replacing |today|: either, you set today to some +# non-false value, then it is used: +#today = '' +# Else, today_fmt is used as the format for a strftime call. +#today_fmt = '%B %d, %Y' + +# List of patterns, relative to source directory, that match files and +# directories to ignore when looking for source files. +exclude_patterns = [] + +# The reST default role (used for this markup: `text`) to use for all +# documents. +#default_role = None + +# If true, '()' will be appended to :func: etc. cross-reference text. +#add_function_parentheses = True + +# If true, the current module name will be prepended to all description +# unit titles (such as .. function::). +#add_module_names = True + +# If true, sectionauthor and moduleauthor directives will be shown in the +# output. They are ignored by default. +#show_authors = False + +# The name of the Pygments (syntax highlighting) style to use. +pygments_style = 'sphinx' + +# A list of ignored prefixes for module index sorting. +#modindex_common_prefix = [] + +# If true, keep warnings as "system message" paragraphs in the built documents. +#keep_warnings = False + + +# -- Options for HTML output ---------------------------------------------- + +# The theme to use for HTML and HTML Help pages. See the documentation for +# a list of builtin themes. +html_theme = 'default' + +# Theme options are theme-specific and customize the look and feel of a theme +# further. For a list of options available for each theme, see the +# documentation. +#html_theme_options = {} + +# Add any paths that contain custom themes here, relative to this directory. +#html_theme_path = [] + +# The name for this set of Sphinx documents. If None, it defaults to +# " v documentation". +#html_title = None + +# A shorter title for the navigation bar. Default is the same as html_title. +#html_short_title = None + +# The name of an image file (relative to this directory) to place at the top +# of the sidebar. +#html_logo = None + +# The name of an image file (within the static path) to use as favicon of the +# docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32 +# pixels large. +#html_favicon = None + +# Add any paths that contain custom static files (such as style sheets) here, +# relative to this directory. They are copied after the builtin static files, +# so a file named "default.css" will overwrite the builtin "default.css". +html_static_path = ['_static'] + +# Add any extra paths that contain custom files (such as robots.txt or +# .htaccess) here, relative to this directory. These files are copied +# directly to the root of the documentation. +#html_extra_path = [] + +# If not '', a 'Last updated on:' timestamp is inserted at every page bottom, +# using the given strftime format. +#html_last_updated_fmt = '%b %d, %Y' + +# If true, SmartyPants will be used to convert quotes and dashes to +# typographically correct entities. +#html_use_smartypants = True + +# Custom sidebar templates, maps document names to template names. +#html_sidebars = {} + +# Additional templates that should be rendered to pages, maps page names to +# template names. +#html_additional_pages = {} + +# If false, no module index is generated. +#html_domain_indices = True + +# If false, no index is generated. +#html_use_index = True + +# If true, the index is split into individual pages for each letter. +#html_split_index = False + +# If true, links to the reST sources are added to the pages. +#html_show_sourcelink = True + +# If true, "Created using Sphinx" is shown in the HTML footer. Default is True. +#html_show_sphinx = True + +# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True. +#html_show_copyright = True + +# If true, an OpenSearch description file will be output, and all pages will +# contain a tag referring to it. The value of this option must be the +# base URL from which the finished HTML is served. +#html_use_opensearch = '' + +# This is the file name suffix for HTML files (e.g. ".xhtml"). +#html_file_suffix = None + +# Output file base name for HTML help builder. +htmlhelp_basename = 'fuel-plugin-fwaasdoc' + + +# -- Options for LaTeX output --------------------------------------------- + +latex_elements = { +# The paper size ('letterpaper' or 'a4paper'). +#'papersize': 'letterpaper', + +# The font size ('10pt', '11pt' or '12pt'). +#'pointsize': '10pt', + +# Additional stuff for the LaTeX preamble. +#'preamble': '', +} + +# Grouping the document tree into LaTeX files. List of tuples +# (source start file, target name, title, +# author, documentclass [howto, manual, or own class]). +latex_documents = [ + ('index', 'fuel-plugin-fwaas.tex', u'The FWaaS Plugin for Fuel Documentation', + u'Mirantis Inc.', 'manual'), +] + +# The name of an image file (relative to this directory) to place at the top of +# the title page. +#latex_logo = None + +# For "manual" documents, if this is true, then toplevel headings are parts, +# not chapters. +#latex_use_parts = False + +# If true, show page references after internal links. +#latex_show_pagerefs = False + +# If true, show URL addresses after external links. +#latex_show_urls = False + +# Documents to append as an appendix to all manuals. +#latex_appendices = [] + +# If false, no module index is generated. +#latex_domain_indices = True + +# make latex stop printing blank pages between sections +# http://stackoverflow.com/questions/5422997/sphinx-docs-remove-blank-pages-from-generated-pdfs +latex_elements = { 'classoptions': ',openany,oneside', 'babel' : '\\usepackage[english]{babel}' } + + +# -- Options for manual page output --------------------------------------- + +# One entry per manual page. List of tuples +# (source start file, name, description, authors, manual section). +man_pages = [ + ('index', 'fuel-plugin-fwaas', u'Guide to the FWaaS Plugin ver. 2.0-2.0.0-2 for Fuel', + [u'Mirantis Inc.'], 1) +] + +# If true, show URL addresses after external links. +#man_show_urls = False + + +# -- Options for Texinfo output ------------------------------------------- + +# Grouping the document tree into Texinfo files. List of tuples +# (source start file, target name, title, author, +# dir menu entry, description, category) +texinfo_documents = [ + ('index', 'fuel-plugin-fwaas', u'The FWaaS Plugin for Fuel Documentation', + u'Mirantis Inc.', 'fuel-plugin-fwaas', 'The FWaaS Plugin for Fuel Documentation', + 'Miscellaneous'), +] + +# Documents to append as an appendix to all manuals. +#texinfo_appendices = [] + +# If false, no module index is generated. +#texinfo_domain_indices = True + +# How to display URL addresses: 'footnote', 'no', or 'inline'. +#texinfo_show_urls = 'footnote' + +# If true, do not generate a @detailmenu in the "Top" node's menu. +#texinfo_no_detailmenu = False + +# Insert footnotes where they are defined instead of +# at the end. +pdf_inline_footnotes = True + + + +# -- Options for Epub output ---------------------------------------------- + +# Bibliographic Dublin Core info. +epub_title = u'The FWaaS Plugin for Fuel' +epub_author = u'Mirantis Inc.' +epub_publisher = u'Mirantis Inc.' +epub_copyright = u'2015, Mirantis Inc.' + +# The basename for the epub file. It defaults to the project name. +#epub_basename = u'fuel-plugin-openbook' + +# The HTML theme for the epub output. Since the default themes are not optimized +# for small screen space, using the same theme for HTML and epub output is +# usually not wise. This defaults to 'epub', a theme designed to save visual +# space. +#epub_theme = 'epub' + +# The language of the text. It defaults to the language option +# or en if the language is not set. +#epub_language = '' + +# The scheme of the identifier. Typical schemes are ISBN or URL. +#epub_scheme = '' + +# The unique identifier of the text. This can be a ISBN number +# or the project homepage. +#epub_identifier = '' + +# A unique identification for the text. +#epub_uid = '' + +# A tuple containing the cover image and cover page html template filenames. +#epub_cover = () + +# A sequence of (type, uri, title) tuples for the guide element of content.opf. +#epub_guide = () + +# HTML files that should be inserted before the pages created by sphinx. +# The format is a list of tuples containing the path and title. +#epub_pre_files = [] + +# HTML files shat should be inserted after the pages created by sphinx. +# The format is a list of tuples containing the path and title. +#epub_post_files = [] + +# A list of files that should not be packed into the epub file. +epub_exclude_files = ['search.html'] + +# The depth of the table of contents in toc.ncx. +#epub_tocdepth = 3 + +# Allow duplicate toc entries. +#epub_tocdup = True + +# Choose between 'default' and 'includehidden'. +#epub_tocscope = 'default' + +# Fix unsupported image types using the PIL. +#epub_fix_images = False + +# Scale large images. +#epub_max_image_width = 0 + +# How to display URL addresses: 'footnote', 'no', or 'inline'. +#epub_show_urls = 'inline' + +# If false, no index is generated. +#epub_use_index = True diff --git a/doc/source/index.rst b/doc/source/index.rst new file mode 100644 index 0000000..d11fe06 --- /dev/null +++ b/doc/source/index.rst @@ -0,0 +1,21 @@ +.. fuel-plugin-fwaas-doc master file, created by + sphinx-quickstart on Mon Nov 16 09:11:57 2015. + You can adapt this file completely to your liking, but it should at least + contain the root `toctree` directive. + +Welcome to FWaaS Plugin for Fuel's documentation! +================================================= + +.. toctree:: + :maxdepth: 4 + + overview + installation_guide + user_guide + appendix + + +Indices and tables +================== + +* :ref:`search` diff --git a/doc/source/installation_guide.rst b/doc/source/installation_guide.rst new file mode 100644 index 0000000..c910463 --- /dev/null +++ b/doc/source/installation_guide.rst @@ -0,0 +1,52 @@ +.. _installation: + +Installation Guide +------------------- + +Installing FWaaS plugin ++++++++++++++++++++++++ + + +#. Download the plug­in from `Fuel Plugins Catalog`_. + +#. Copy the plug­in on already installed Fuel Master node:: + + [user@home ~]$ scp fwaas-plugin-1.1-1.1.0-1.noarch.rpm root@:/ + :~/ + +#. Log into the Fuel Master node. Install the plugin:: + + [root@fuel ~]# fuel plugins --install fwaas-plugin-1.1-1.1.0-1.noarch.rpm + +#. Verify that the plugin is installed correctly:: + + [root@fuel ~]# fuel plugins --list + id | name | version | package_version + ---|--------------|---------|---------------- + 1 | fwaas_plugin | 1.1.0 | 2.0.0 + + +Creating Environment with FWaaS ++++++++++++++++++++++++++++++++ + +#. After plug­in is installed, create a new OpenStack environment with Neutron + as a network provider. + +#. `Configure your environment`_. + +#. Open the Settings tab of the Fuel web UI and scroll down the page. Select + FWaaS plugin checkbox: + + .. image:: _static/fwaas_in_fuel_ui.png + +#. `Deploy your environment`_. + + +********** +References +********** + +.. target-notes:: +.. _Fuel Plugins Catalog: https://software.mirantis.com/download-mirantis-openstack-fuel-plug-ins +.. _Configure your environment: http://docs.mirantis.com/openstack/fuel/fuel-7.0/user-guide.html#configure-your-environment +.. _Deploy your environment: http://docs.mirantis.com/openstack/fuel/fuel-7.0/user-guide.html#deploy-changes diff --git a/doc/source/overview.rst b/doc/source/overview.rst new file mode 100644 index 0000000..f332404 --- /dev/null +++ b/doc/source/overview.rst @@ -0,0 +1,75 @@ +.. _overview: + +Document purpose +================ + +This document provides instructions for installing, configuring and using +Neutron Firewall-as-a-Service plugin for Fuel. + + +Key terms, acronyms and abbreviations +------------------------------------- + ++----------------------------+------------------------------------------------+ +| Term/abbreviation | Definition | ++============================+================================================+ +| FWaaS | Firewall-as-a-Service | ++----------------------------+------------------------------------------------+ +| IPTables | A user-space application program that allows | +| | a system administrator to configure the tables | +| | provided by the Linux kernel firewall and the | +| | chains and rules it stores. Different kernel | +| | modules and programs are currently used for | +| | different protocols; IPTables applies to IPv4, | +| | ip6tables to IPv6, arptables to ARP, and | +| | ebtables to Ethernet frames. | ++----------------------------+------------------------------------------------+ +| VM | Virtual Machine (Instance) | ++----------------------------+------------------------------------------------+ + + +FWaaS Plugin +------------ + +The Firewall-as-a-Service (FWaaS) is a Neutron plugin, which adds perimeter +firewall management to Networking. FWaaS uses IPTables to apply firewall policy +to the selected router. Whereas security groups operate at the instance-level, +FWaaS operates at the router-level. + + +Requirements +------------ + ++----------------------------+------------------------------------------------+ +| Requirement | Version/Comment | ++============================+================================================+ +| Fuel | 7.0 release with Maintenance Update 2 | ++----------------------------+------------------------------------------------+ +| OpenStack compatibility | 2015.1 Kilo with Maintenance Update 2 | ++----------------------------+------------------------------------------------+ +| Operating systems | Ubuntu 14.04 LTS | ++----------------------------+------------------------------------------------+ + + +Limitations +----------- + +FWaaS plugin can be enabled only in environments with Neutron with ML2 plugin +with OpenVSwitch Mechanism driver (default configuration) as the networking +option and tested only with the IPTables driver. + + +Known issues +------------ + +Please make sure that your environment contains maintenance update MU-2 for +MOS 7.0 which has a fix for the High bug: +`[FWaaS] Error firewall state after updating policy or rule`_ + +If your environment doesn't contain MU-2, please apply it: +`How to apply Mirantis OpenStack 7.0 Maintenance Update`_ + +.. target-notes:: +.. _[FWaaS] Error firewall state after updating policy or rule: https://bugs.launchpad.net/mos/7.0.x/+bug/1510576 +.. _How to apply Mirantis OpenStack 7.0 Maintenance Update: https://docs.mirantis.com/openstack/fuel/fuel-7.0/maintenance-updates.html + diff --git a/doc/source/user_guide.rst b/doc/source/user_guide.rst new file mode 100644 index 0000000..3ee0726 --- /dev/null +++ b/doc/source/user_guide.rst @@ -0,0 +1,177 @@ + +.. _user-guide: + +User Guide +========== + +Configuring FWaaS service +------------------------- + + +Once OpenStack has been deployed, we can start configuring FWaaS. + +This section provides an example of configuration and step-by-step instructions +for configuring the plugin. + +Here is an example task. We will have the following network architecture in our +Project: + + .. figure:: _static/net_arch.png + :scale: 100 % + :align: center + +Before we start, we need to be remember that every Project in OpenStack is +assigned the default security group for the cluster in its default form, which +is usually restrictive. So you’ll probably need to create a few additional +rules in each Project’s default security group: like a general ICMP rule, +enabling pings, and a port 22 TCP rule, enabling SSH an example task: + + .. figure:: _static/security_groups.png + :scale: 100 % + :align: center + +Let's get started with the testing of connectivity between our VMs (using ping). +So, for the current state situation is the following (see the network topology +above): + + .. figure:: _static/table_default.png + :scale: 100 % + :align: center + + +1. Let's create **Firewall** + + Open *Network* menu in the left-hand menu and select *Firewalls* option. + + .. figure:: _static/select_firewalls_menu.png + :scale: 100 % + :align: center + +2. Create **Policy** + + Enter *Firewall Policies* tab and click *Add Policy* button. + + .. figure:: _static/create_policy.png + :scale: 100 % + :align: center + + In this window, we should fill in policy name and description of this + policy in the *Name* and *Description* fields. Also, here we can set + *Shared* and *Audited flags*: + + * *Shared* - allow to share your policy with all other Projects. + * *Audited* - indicate whether the particular firewall policy was + audited or not by the creator of the firewall policy. + + And click *Add* button to finish. + + .. figure:: _static/fill_policy_params.png + :scale: 100 % + :align: center + +3. Create **Firewall** + + Enter *Firewalls* tab and click *Create Firewall* button. + + .. figure:: _static/create_firewall.png + :scale: 100 % + :align: center + + In *Add Firewall* tab we should fill in *Name*, *Description* fields and + choose our policy that was created in previous step. + * *Shared* - allow to share your Firewall with all other Projects. + * *Admin State* - option provide an ability to set UP or DOWN the + Firewall. + + .. figure:: _static/fill_firewall_params.png + :scale: 100 % + :align: center + + **NOTE**: The firewall remains in *PENDING_CREATE* state until you create + a Networking router and attach an interface to it. + + In *Routers* tab we should choose routers from the available routers on + which we want to enable our Firewall. Let's apply it only for router **r1**. + + .. figure:: _static/add_firewall_to_r1.png + :scale: 100 % + :align: center + +4. Let’s test connectivity between our VMs with new Firewall which we applied + on the router **r1** + + .. figure:: _static/table_fw_r1.png + :scale: 100 % + :align: center + + **WARNING**: Firewall always adds a default rule to **deny** all at the + lowest precedence of each policy. Consequently, a firewall policy with no + rules blocks all traffic by default. + + Since we applied our Firewall only for the router **r1** we can that **r1** + blocks all traffic and router **r2** works as before. For the adding and + removing routers to the Firewall we should click drop-down button near the + *Edit Firewall* button and select *Add/Remove Router*: + + .. figure:: _static/add_firewall_to_r2.png + :scale: 100 % + :align: center + +5. Create **Rule** + + For the allowing ICMP traffic we need to create a new rule. + Enter *Firewall Rules* tab and press *Add Rule* button: + + + .. figure:: _static/create_rule.png + :scale: 100 % + :align: center + + Here, as usual we should fill in Name and Description fields. And specify + the type of traffic, a couple of flags and action for it: + + * *Protocol* - type of protocol (ICMP, TCP, UDP or ANY). + * *Source( Destination) IP Address/Subnet* - It might be single IP + 172.18.161.10 or CIDR like 172.18.161.0/24 + * *Source(Destination) Port / Port Range* - It might be a single Port 80 + or range like 100:200. + * *Action* - what to do (ALLOW or DENY) with this type traffic. + * *Shared* - allow to share your rule with all other Projects. + * *Enable* - provide an ability to turn ON or OFF this rule. + + .. figure:: _static/fill_rule_parameters.png + :scale: 100 % + :align: center + +6. Add **Rule** to the **Policy** + + Add the created rule into our policy: + + * Enter Firewall Policies. + * In column for our policy, click drop-down button and select Insert + Rule. + + .. figure:: _static/add_rule_to_policy.png + :scale: 100 % + :align: center + + * In *Insert Rule to Policy* window, we can choose the necessary rule + and specify the order of applying the rules. It's important that the + rules are setup in proper order. The first rule that matches the type + of traffic will be used. + + .. figure:: _static/insert_rule_into_policy.png + :scale: 100 % + :align: center + +7. And let’s test connectivity again + + .. figure:: _static/table_all_routers_with_fw_and_icmp_rule.png + :scale: 100 % + :align: center + + The situation is the same that we have without a Firewall, but only for the + ICMP traffic while for the other types of packets it remained the same as + at the beginning. + +